Bump urllib3 from 2.6.3 to 2.7.0 in /python#13978
Conversation
There was a problem hiding this comment.
Automated Code Review
Reviewers: 4 | Confidence: 72%
✓ Correctness
This is a straightforward dependency bump of urllib3 from 2.6.3 to 2.7.0 in the uv.lock file, along with related constraint updates for boto3 (<1.41.0 → <1.43.0), google-genai (~=1.51.0 → >=1.51,<1.75), and pydantic (<2.13 → <2.14). All lock file changes are consistent with the dependency specifiers declared in python/pyproject.toml. The urllib3 2.7.0 release drops Python 3.9 support, but this project requires Python >=3.10, so there is no compatibility concern. CI tests run on Python 3.10, 3.11, and 3.12 only. The urllib3 2.7.0 release includes security fixes for decompression-bomb safeguards and header-stripping on redirects. No correctness issues found.
✓ Security Reliability
This is a lockfile-only dependency bump that updates urllib3 from 2.6.3 to 2.7.0, picking up two high-severity security fixes (decompression-bomb safeguard bypass and sensitive header leak on redirect via ProxyManager). The project already requires Python >=3.10, so urllib3 2.7.0 dropping Python 3.9 is not a concern. The accompanying version-range widenings for boto3, google-genai, and pydantic are routine upper-bound bumps. Package integrity is protected by sha256 hashes in the lockfile. No security or reliability issues found.
✓ Test Coverage
This PR updates the uv.lock file to bump urllib3 from 2.6.3 to 2.7.0 (which includes security fixes for decompression-bomb bypass and header-stripping on redirect), along with widened version ranges for boto3, google-genai, and pydantic. All changes are confined to the lock file with no application or test code modifications. Since no project behavior is changed—only transitive dependency versions are updated—there is no new behavior requiring additional test coverage.
✗ Design Approach
The urllib3 bump is incomplete for the Python tree: it updates the top-level SDK lockfile, but a documented demo project under
python/samples/demos/mcp_with_oauthstill carries its ownuv.lockpinned to an older urllib3, so users following that demo path will continue to resolve the pre-fix version.
Flagged Issues
- The documented
python/samples/demos/mcp_with_oauthdemo still carries its ownuv.lockpinned to urllib3 2.5.0 (python/samples/demos/mcp_with_oauth/uv.lock:2414-2419), and its README instructs users to run from that directory (README.md:55-58). This PR does not fully remove the older urllib3 pin from the/pythonsubtree.
Automated review by dependabot[bot]'s agents
Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.6.3 to 2.7.0. - [Release notes](https://github.com/urllib3/urllib3/releases) - [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst) - [Commits](urllib3/urllib3@2.6.3...2.7.0) --- updated-dependencies: - dependency-name: urllib3 dependency-version: 2.7.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
b590234 to
0b71933
Compare
moonbox3
left a comment
There was a problem hiding this comment.
Approved after current CI/CD checks are green.
|
@copilot: address the unresolved review thread by also bumping urllib3 in python/samples/demos/mcp_with_oauth/uv.lock so the documented demo no longer resolves the older urllib3 version, then rerun/fix CI/CD as needed. |
Done — updated |
moonbox3
left a comment
There was a problem hiding this comment.
Approved after Copilot addressed the nested urllib3 lockfile issue, branch was updated, and CI/CD is green.
Motivation and Context
Bumps urllib3 from 2.6.3 to 2.7.0 across the Python project, including the
mcp_with_oauthdemo, to pick up the latest security and bug fixes.Description
urllib3from 2.6.3 to 2.7.0 inpython/uv.lockurllib3from 2.5.0 to 2.7.0 inpython/samples/demos/mcp_with_oauth/uv.lockso the demo no longer resolves an older urllib3 versionContribution Checklist